Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Apply DoS Profile Only to Specific URLs

I'm using 11.4.1 and have been tasked with adding additional protection to public facing pages that contain a form that when submitted sends emails. We get a lot of complaints when those pages are scanned and a huge number of emails are sent throughout the company. We are looking for a solution that can be applied for all pages that have this action instead of putting this protection into each website.

My initial thought on this was to use the DoS Profile setup for TPS-based Anomaly. However this is applied on a virtual server level and will therefor apply to every page on that server. My preference is to only apply this to the public facing email forms without applying rate limiting across the entire site which could break customer processes.

I was hoping this would be as easy as using an LTM policy to turn on and off the DoS Profile per URL, but it doesn't look like that functionality is available.

Is there any way of either applying the DoS Profile based on the URL? If not, is there a way to send specific URLs to a specific virtual server which I could then setup just to manage the email page and have the DoS Profile applied? Any other ways of doing rate limiting in the F5.

I realize that doing rate limiting on the websites or servers themselves would be best, but getting developers to update websites for changes like this is like herding narcoleptic cats.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

a local traffic policy (Local Traffic ›› Policies : Policy List) should be able to do this. only at specific urls enable the l7dos profile.

0
Comments on this Answer
Comment made 20-Jul-2015 by PeterHession 61
Didn't realize l7dos was the same thing. However, when I try to add it as a control in the policy I get the following error "rule is missing an action controlling 'l7dos'" even though the dos profile is setup and applied to the virtual server. Is l7dos truley the same as the DoS Profiles?
0
Comment made 20-Jul-2015 by PeterHession 61
Guess I was victim of F5's wonderful error messages and this should work as boneyard said. "If you require a rule that has specific conditions to send traffic to the l7dos or asm controls, you may have to create a default rule with no conditions where action is set to disable l7dos or asm, and a second rule with specific conditions where action is set to enable l7dos or asm."
0